Managing malware – part 1

The statistics are startling. Incidences of malware continue to rise with 450,000 new pieces discovered and identified each day, according to AV-Test, an independent security-testing organisation. It’s not a trend that’s likely to reverse any time soon. Since 2007, cases of malware have doubled every year, but this year has seen a more worrying trend. The number of recorded incidences of malware in the first six months of this year has already exceeded the number identified in the whole of 2013. It’s likely then that 2014 will see malware quadruple rather than just double.

Just take a look at last week’s Shellshock/Bash bug problem. Hackers had exploited the vulnerabilities of the bug within hours of it being disclosed. Millions of attacks took place in the following couple of days, and commentators have compared it to Heartbleed in seriousness, highlighting the speed and increasing frequency of high impact malware.

So what’s changed? Why is the threat landscape growing? Back in 2006, malware was only really used to target nation states. It took this level of sophistication to breach a government’s online security perimeter. The breach of Iran’s nuclear programme network was probably the most high profile incursion of that time. About five years ago the hackers moved to targeting large companies as malware became more widely available to criminals. Today we’re seeing small companies and individuals targeted. The days of “I’m not interesting enough or too small fry to be targeted by hackers” are over. Malware is becoming a commodity.

Before discussing what you can do to protect your company, it’s necessary to identify the steps that malware typically takes around your organisation. This is known as the Advance Persistent Threat (APT) kill chain and it follows five easily identifiable steps.

1. Reconnaissance – fraudsters start to research publicly available sources of information on companies. They use both traditional and online media, such as Facebook and LinkedIn to identify personal details that can be used to hack passwords. This is what happened recently with the iCloud hack.

2. Incursion – hackers then employ standard malware techniques to breach your network based on the information gleaned from the reconnaissance phase. Once in, they can go silent for months before moving on to the next stage.

3. Discovery – fraudsters will move laterally across the network to capture data that’s useful in their continued exploitation of your security. This data can include credit card details, passwords, even financial information.

4. Capture – using simple capture techniques the fraudsters will collect data ready to move it out of the organisation.

5. Exfiltration – hackers employ command and control techniques as a mechanism for getting your data out and beyond your corporate network. It’s typically sent to a botnet and then onto a website where it can be sold and then used fraudulently by the wider criminal fraternity.

While the above sounds like something from a movie, it’s a very real threat to companies large and small. We recently helped a customer who had become a victim of malware. With less than 15 employees, this small Yorkshire-based transport company had its network breached. When the hacker was unable to find anything useful it ran a cryptolocker programme that encrypted the entire network. The company had to pay a ransom for an undisclosed amount to get its own data unencrypted.

Hopefully, I’ve provided you with an understanding of how the hackers get in and the route they take. In my next blog, I’ll look at the problems with traditional security approaches and what you can do to up your security protection.